CVE-2018-14667
CRITICAL severity · CVSS 9.8 · Code injection · actively exploited (CISA KEV)
9.8CVSS CRITICAL ● exploited
🔴 Actively exploited in the wild (CISA Known Exploited Vulnerabilities).
Added to KEV 2023-09-28. US federal agencies must patch by 2023-10-19.
Summary
The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)89%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products we track (1)
Recommendation
This vulnerability is being actively exploited in the wild — patch affected products urgently. Open any affected product above for its exact safe version.
Additional information
- NVD record
- https://access.redhat.com/errata/RHSA-2018:3517Advisory
- https://access.redhat.com/errata/RHSA-2018:3518Advisory
- https://access.redhat.com/errata/RHSA-2018:3519Advisory
- https://access.redhat.com/errata/RHSA-2018:3581Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14667Advisory
- http://packetstormsecurity.com/files/156663/Richsploit-RichFaces-Exploitation-Toolkit.htmlAdvisory
- http://seclists.org/fulldisclosure/2020/Mar/21Advisory
- http://www.securitytracker.com/id/1042037Advisory